CVE-2021-41225Use of Uninitialized Resource in Tensorflow

CWE-908Use of Uninitialized Resource6 documents5 sources
Severity
7.8HIGHNVD
CNA5.5
EPSS
0.0%
top 95.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
TensorflowGoogle TensorflowIntel Optimization FOR Tensorflow
Timeline
PublishedNov 5
Latest updateNov 10

Description

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's Grappler optimizer has a use of unitialized variable. If the `train_nodes` vector (obtained from the saved model that gets optimized) does not contain a `Dequeue` node, then `dequeue_node` is left unitialized. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported ran

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDgoogle/tensorflow2.4.02.4.4+3
CVEListV5tensorflow/tensorflow< 2.4.4+2
PyPIintel/optimization_for_tensorflow2.6.02.6.1+4

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
A use of uninitialized value vulnerability in Tensorflow2021-11-10
GHSA
A use of uninitialized value vulnerability in Tensorflow2021-11-10
CVEList
A use of uninitialized value vulnerability in Tensorflow2021-11-05
OSV
CVE-2021-41225: TensorFlow is an open source platform for machine learning2021-11-05

📋Vendor Advisories

1
Debian
CVE-2021-41225: tensorflow - TensorFlow is an open source platform for machine learning. In affected versions...2021
CVE-2021-41225 — Use of Uninitialized Resource | cvebase